Sophos, a global leader in next-generation cybersecurity, today
published a new report on MrbMiner, “ MrbMiner: Cryptojacking to bypass international sanctions ,”
tracking its origin and management to a small software development company based in Iran.
MrbMiner is a recently discovered cryptominer that targets internet-facing database servers (SQL
servers) and downloads and installs a cryptominer. Database servers are an attractive target for
cryptojackers because they are used for resource-intensive activity and therefore have powerful
processing capability.
SophosLabs found that the attackers used multiple routes to install the malicious mining software on
a targeted server, with the cryptominer payload and configuration files packed into deliberately mis-
named zip archive files.
The name of an Iran-based software company was hardcoded into the miner’s main configuration
file. This domain is connected to many other zip files also containing copies of the miner. These zip
files have in turn been downloaded from other domains, one of which is mrbftp.xyz.
“In many ways, MrbMiner’s operations appear typical of most cryptominer attacks we’ve seen
targeting internet-facing servers,” said Gabor Szappanos, threat research director, SophosLabs. “The
difference here is that the attacker appears to have thrown caution to the wind when it comes to
concealing their identity. Many of the records relating to the miner’s configuration, its domains and
IP addresses, signpost to a single point of origin: a small software company based in Iran.
“In an age of multi-million dollar ransomware attacks that bring organizations to their knees it can
be easy to discount cryptojacking as a nuisance rather than a serious threat, but that would be a
mistake. Cryptojacking is a silent and invisible threat that is easy to implement and very difficult to
detect. Further, once a system has been compromised it presents an open door for other threats,
such as ransomware. It is therefore important to stop cryptojacking in its tracks. Look out for signs
such as a reduction in computer speed and performance, increased electricity use, devices
overheating and increased demands on the CPU.”
Further information on MrbMiner and other cyberthreats can be found on SophosLabs Uncut,
where Sophos researchers regularly publish their latest research and breakthrough findings, such as
Kingminer escalates attack complexity for cryptomining, as well as Lemon_Duck cryptominer targets
cloud apps and Linux, and MyKings botnet spreads headaches, cryptominers and Forshare malware.
Researchers can follow SophosLabs Uncut in real time on Twitter at @SophosLabs.
